gokrb5 icon indicating copy to clipboard operation
gokrb5 copied to clipboard

Published 20 hours ago verified publisher icon jcmturner

support ssh.GSSAPIClient interface

Open zhaozhongshu opened this issue 4 years ago • 3 comments

in golang.org/x/crypto/ssh ,there is a following interface

// GSSAPIClient provides the API to plug-in GSSAPI authentication for client logins.
type GSSAPIClient interface {
	// InitSecContext initiates the establishment of a security context for GSS-API between the
	// ssh client and ssh server. Initially the token parameter should be specified as nil.
	// The routine may return a outputToken which should be transferred to
	// the ssh server, where the ssh server will present it to
	// AcceptSecContext. If no token need be sent, InitSecContext will indicate this by setting
	// needContinue to false. To complete the context
	// establishment, one or more reply tokens may be required from the ssh
	// server;if so, InitSecContext will return a needContinue which is true.
	// In this case, InitSecContext should be called again when the
	// reply token is received from the ssh server, passing the reply
	// token to InitSecContext via the token parameters.
	// See RFC 2743 section 2.2.1 and RFC 4462 section 3.4.
	InitSecContext(target string, token []byte, isGSSDelegCreds bool) (outputToken []byte, needContinue bool, err error)
	// GetMIC generates a cryptographic MIC for the SSH2 message, and places
	// the MIC in a token for transfer to the ssh server.
	// The contents of the MIC field are obtained by calling GSS_GetMIC()
	// over the following, using the GSS-API context that was just
	// established:
	//  string    session identifier
	//  byte      SSH_MSG_USERAUTH_REQUEST
	//  string    user name
	//  string    service
	//  string    "gssapi-with-mic"
	// See RFC 2743 section 2.3.1 and RFC 4462 3.5.
	GetMIC(micFiled []byte) ([]byte, error)
	// Whenever possible, it should be possible for
	// DeleteSecContext() calls to be successfully processed even
	// if other calls cannot succeed, thereby enabling context-related
	// resources to be released.
	// In addition to deleting established security contexts,
	// gss_delete_sec_context must also be able to delete "half-built"
	// security contexts resulting from an incomplete sequence of
	// InitSecContext()/AcceptSecContext() calls.
	// See RFC 2743 section 2.2.3.
	DeleteSecContext() error
}

I want to add this feature,give me some advice

zhaozhongshu avatar May 01 '20 02:05 zhaozhongshu

i think you could implement this externally and use the http client middleware as a reference. but you need access to the serviceSettings field of the SPNEGO struct.

phin1x avatar Aug 06 '20 20:08 phin1x

you can refer to these two: https://github.com/yiya1989/sshkrb5/blob/main/examples/sshwithkrb5.go https://github.com/nhywieza/sshgssapi

yiya1989 avatar Nov 10 '20 12:11 yiya1989

I've created a package that implements this interface. It can use this gokrb5 package, the C-based GSSAPI bindings, or the Windows SSPI framework. It's available here: https://github.com/bodgit/sshkrb5

bodgit avatar Jan 18 '21 21:01 bodgit